/* * Copyright 2025 Hirokazu Kobayashi * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.idp.server.core.openid.oauth.clientauthenticator; import org.idp.server.core.openid.oauth.clientauthenticator.clientcredentials.ClientAssertionJwt; import org.idp.server.core.openid.oauth.clientauthenticator.clientcredentials.ClientAuthenticationPublicKey; import org.idp.server.core.openid.oauth.clientauthenticator.clientcredentials.ClientCredentials; import org.idp.server.core.openid.oauth.clientauthenticator.exception.ClientUnAuthorizedException; import org.idp.server.core.openid.oauth.clientauthenticator.mtls.ClientCertification; import org.idp.server.core.openid.oauth.clientauthenticator.plugin.ClientAuthenticator; import org.idp.server.core.openid.oauth.configuration.client.ClientConfiguration; import org.idp.server.core.openid.oauth.type.oauth.ClientAuthenticationType; import org.idp.server.core.openid.oauth.type.oauth.ClientSecret; import org.idp.server.core.openid.oauth.type.oauth.ClientSecretBasic; import org.idp.server.core.openid.oauth.type.oauth.RequestedClientId; import org.idp.server.platform.log.LoggerWrapper; /** * client secret basic * *

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as * defined in [RFC2617] to authenticate with the authorization server. The client identifier is * encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the * encoded value is used as the username; the client password is encoded using the same algorithm * and used as the password. The authorization server MUST support the HTTP Basic authentication * scheme for authenticating clients that were issued a client password. * *

For example (with extra line breaks for display purposes only): * *

Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 * * @see 2.3.1. Client Password */ class ClientSecretBasicAuthenticator implements ClientAuthenticator { LoggerWrapper log = LoggerWrapper.getLogger(ClientSecretBasicAuthenticator.class); @Override public ClientAuthenticationType type() { return ClientAuthenticationType.client_secret_basic; } @Override public ClientCredentials authenticate(BackchannelRequestContext context) { RequestedClientId requestedClientId = context.requestedClientId(); throwExceptionIfNotContainsClientSecretBasic(context); throwExceptionIfUnMatchClientSecret(context); ClientSecret clientSecret = context.clientSecretBasic().clientSecret(); log.debug( "Client authentication succeeded: method={}, client_id={}", ClientAuthenticationType.client_secret_basic.name(), requestedClientId.value()); return new ClientCredentials( requestedClientId, ClientAuthenticationType.client_secret_basic, clientSecret, new ClientAuthenticationPublicKey(), new ClientAssertionJwt(), new ClientCertification()); } void throwExceptionIfUnMatchClientSecret(BackchannelRequestContext context) { ClientSecretBasic clientSecretBasic = context.clientSecretBasic(); ClientConfiguration clientConfiguration = context.clientConfiguration(); RequestedClientId clientId = context.requestedClientId(); if (!clientConfiguration.matchClientSecret(clientSecretBasic.clientSecret().value())) { throw new ClientUnAuthorizedException( ClientAuthenticationType.client_secret_basic.name(), clientId, "client_secret does not match"); } } void throwExceptionIfNotContainsClientSecretBasic(BackchannelRequestContext context) { RequestedClientId clientId = context.requestedClientId(); if (!context.hasClientSecretBasic()) { throw new ClientUnAuthorizedException( ClientAuthenticationType.client_secret_basic.name(), clientId, "request does not contain client_secret_basic"); } } }